New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS By Sergiu Gatlan Published: 2019-07-03 · Archived: 2026-04-05 13:16:05 UTC A Lua-based backdoor malware capable of targeting both Linux and Windows users while securing its communication channels via DNS over HTTPS (DoH) was discovered by researchers at Network Security Research Lab of Qihoo 360. By using DoH to encapsulate the communication channels between command-and-control servers, the infected machines, and the attacker-controlled servers within HTTPS requests, the malware dubbed Godlua manages to block researchers from analyzing its traffic. Godlua's main function seems to be that of a DDoS bot and it was already seen in action when its masters launched an HTTP flood attack against the liuxiaobei[.]com domain, as observed by the Qihoo 360 researchers. https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/ Page 1 of 4 0:00 https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/ Page 2 of 4 Visit Advertiser websiteGO TO PAGE Until now, two samples of the Godlua backdoor have been found, with one of them targeting only Linux boxes (version 201811051556) while the other is also able to infect Windows computers, has more built-in commands, and supports more CPU architectures (version 20190415103713 ~ 2019062117473) Godlua versions While Godlua version 201811051556 is currently not being updated anymore, the second sample is actively being updated by its developers which might be the reason behind its extra features and multi-platform support. The version that focuses only the Linux platform can receive only two types of instructions from its command and control (C2) server, allowing the attackers to run custom files and to execute Linux commands. The second variant comes with support for five C2 commands and it "downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack." Even though a number of Linux machines were found to have been infected with the Godlua backdoor using a Confluence exploit for CVE-2019-3396, the Qihoo 360 researchers are still looking for additional infection vectors. DNS over HTTPS used to secure C2 traffic Although quite new, the DoH protocol is a proposed standard as of October 2018 and it is already supported by quite a long list of publicly available DNS servers, as well as web browsers like Google Chrome and Mozilla Firefox. DoH increases DNS queries' privacy by enveloping them within HTTPS communication channels which effectively blocks both eavesdropping and DNS data manipulation by third parties between the client and the DNS server. DNS over HTTPS Request DNS over HTTPS Request By abusing the DoH protocol, the Godlua malware hides the URLs of the C2 servers used during the later stages of the infection process from prying eyes, URLs that it gets from the DNS TXT record of a domain it collects during the first stage. Godlua is the first observed malware that makes use of the DNS over HTTPS protocol to conceal part of its C2 infrastructure from analysts and anti-malware analysis tools according to Cisco Talos threat researcher Nick Biasini. More details on how this malware communicates with its C2 infrastructure and indicators of compromise (IOCs) are provided by the Qihoo 360's research team in their Godlua backdoor analysis. https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/ Page 3 of 4 Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Source: https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/ https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/ Page 4 of 4